K8SPSMDB-1413 skip setting controller owner on secrets owned by Certificates created by cert-manager

pkg/psmdb/tls/certmanager.go

@@ -236,6 +236,10 @@ func (c *certManagerController) WaitForCerts(ctx context.Context, cr *api.Percon
 						continue
 					}
 					if err = controllerutil.SetControllerReference(cr, secret, c.scheme); err != nil {
+						var alreadyOwnedErr *controllerutil.AlreadyOwnedError
+						if errors.As(err, &alreadyOwnedErr) {
+							continue
+						}
 						return errors.Wrap(err, "set controller reference")
 					}
 					if err = c.cl.Update(ctx, secret); err != nil {

pkg/psmdb/tls/certmanager_test.go

@@ -6,13 +6,17 @@ import (
 
 	cm "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
 	cmmeta "github.com/cert-manager/cert-manager/pkg/apis/meta/v1"
+	"github.com/stretchr/testify/assert"
+	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/client-go/kubernetes/scheme"
+	"k8s.io/utils/ptr"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/client/fake" // nolint
 
 	api "github.com/percona/percona-server-mongodb-operator/pkg/apis/psmdb/v1"
+	"github.com/percona/percona-server-mongodb-operator/pkg/version"
 )
 
 func TestCreateIssuer(t *testing.T) {
@@ -132,12 +136,142 @@ func TestCreateCertificate(t *testing.T) {
 	})
 }
 
+func TestWaitForCerts(t *testing.T) {
+	ctx := context.Background()
+
+	cr := &api.PerconaServerMongoDB{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "test-cluster",
+			Namespace: "default",
+			UID:       "test-uid-123",
+		},
+		Spec: api.PerconaServerMongoDBSpec{
+			CRVersion: version.Version(),
+		},
+	}
+
+	certName := CertificateCA(cr).SecretName()
+
+	tests := map[string]struct {
+		certificate *cm.Certificate
+		secret      *corev1.Secret
+	}{
+		"with cert-manager managed secret": {
+			certificate: &cm.Certificate{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      certName,
+					Namespace: cr.Namespace,
+					UID:       "cert-uid-456",
+				},
+				Spec: cm.CertificateSpec{
+					SecretName: certName,
+				},
+			},
+			secret: &corev1.Secret{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      certName,
+					Namespace: cr.Namespace,
+					Annotations: map[string]string{
+						cm.CertificateNameKey: certName,
+					},
+					OwnerReferences: []metav1.OwnerReference{
+						{
+							APIVersion: cm.SchemeGroupVersion.String(),
+							Kind:       cm.CertificateKind,
+							Name:       certName,
+							UID:        "cert-uid-456",
+							Controller: ptr.To(true),
+						},
+					},
+				},
+				Data: map[string][]byte{
+					"ca.crt":  []byte("fake-ca-cert"),
+					"tls.crt": []byte("fake-tls-cert"),
+					"tls.key": []byte("fake-tls-key"),
+				},
+			},
+		},
+		"with cert-manager managed secret but without OwnerReferences": {
+			certificate: &cm.Certificate{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      certName,
+					Namespace: cr.Namespace,
+					UID:       "cert-uid-456",
+				},
+				Spec: cm.CertificateSpec{
+					SecretName: certName,
+				},
+			},
+			secret: &corev1.Secret{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      certName,
+					Namespace: cr.Namespace,
+					Annotations: map[string]string{
+						cm.CertificateNameKey: certName,
+					},
+				},
+				Data: map[string][]byte{
+					"ca.crt":  []byte("fake-ca-cert"),
+					"tls.crt": []byte("fake-tls-cert"),
+					"tls.key": []byte("fake-tls-key"),
+				},
+			},
+		},
+		"without cert-manager": {
+			certificate: nil,
+			secret: &corev1.Secret{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      certName,
+					Namespace: cr.Namespace,
+				},
+				Data: map[string][]byte{
+					"ca.crt":  []byte("fake-ca-cert"),
+					"tls.crt": []byte("fake-tls-cert"),
+					"tls.key": []byte("fake-tls-key"),
+				},
+			},
+		},
+	}
+
+	for name, tc := range tests {
+		t.Run(name, func(t *testing.T) {
+			s := scheme.Scheme
+			s.AddKnownTypes(api.SchemeGroupVersion, new(api.PerconaServerMongoDB))
+			s.AddKnownTypes(cm.SchemeGroupVersion, new(cm.Certificate))
+			s.AddKnownTypes(corev1.SchemeGroupVersion, new(corev1.Secret))
+
+			objects := []client.Object{cr, tc.secret}
+			if tc.certificate != nil {
+				objects = append(objects, tc.certificate)
+			}
+
+			cl := fake.NewClientBuilder().
+				WithScheme(s).
+				WithObjects(objects...).
+				WithStatusSubresource(cr).
+				Build()
+
+			controller := &certManagerController{
+				cl:     cl,
+				scheme: s,
+				dryRun: false,
+			}
+
+			err := controller.WaitForCerts(ctx, cr, CertificateCA(cr))
+			assert.NoError(t, err)
+		})
+	}
+}
+
 // creates a fake client to mock API calls with the mock objects
 func buildFakeClient(objs ...client.Object) CertManagerController {
 	s := scheme.Scheme
 
 	s.AddKnownTypes(api.SchemeGroupVersion,
 		new(api.PerconaServerMongoDB),
+	)
+
+	s.AddKnownTypes(cm.SchemeGroupVersion,
 		new(cm.Issuer),
 		new(cm.Certificate),
 	)